Skip to main content
Splunk Lantern

Large wire transfer immediately after account activation

The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help you see if new customers are trying to transfer large sums of money immediately after activating an account. For more information, review the use case detecting wire transfer fraud.

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.  

Splunk Search Explanation
|sourcetype=<wire transfer data source> Search your wire transfer data.
|eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S") Convert the time to a UNIX timestamp. 
|sort - _time Sort the results with the most recently occurring first.
|where _time<relative_time(OpenDate, "+1d") and amount>10000

Add 1 day to the current Open Date Time using relative_time. Check whether the current time is less than that and the transfer amount is greater than 10,000.

|eval AccountOpenDate=strftime(OpenDate,"%Y-%m-%d %H:%M:%S") Convert the UNIX time value of the account opening date into the format of the locale, as defined by the server's operating system, and place it in a field called AccountOpenDate.
|iplocation destIP Extract location information from the destination IP address.
|rename Country AS DestCountry City AS DestCity Rename the fields as shown for better readability.
|table _time,AccountOpenDate, customer, amount, FromAccount, ToAccount, DestCountry, DestCity Display the results in a table with columns in the order shown.
|eval amount=tostring(round(amount, 2),"commas") Round the amount value to two decimals places and add commas for better readability.